Flutterby™! : Hacking Facebook via OpenID

XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers.

That's right, the response contained Facebook's /etc/passwd. Now we were going somewhere. By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn't go through any kind of proxy was surely something Facebook wanted to avoid at any cost. But I wanted more. I wanted to escalate this to a full Remote Execution.

Facebook's side of the story.

We recently awarded our biggest bug bounty payout ever, and since it's a great validation of the program we've been building and running since 2011, we thought we'd take a few minutes to describe the issue and our response.

Relatedly: Why using an actual XML parser for XML data exchange is a really really bad idea. Seriously, if you're using XML and aren't already using regular expressions to parse it, you should be. Or you should at least be turning off almost every possible feature of the parser.

XML is great for discovering that you have character set issues, but you already knew that. For every other purpose, use something else.